Mouseflow Blog

Want to try Mouseflow?


A Response to the Princeton Study About Session Replay Tools

A few days ago, the University of Princeton published a study investigating the use of session replay tools. The study identified issues with many of our competitors’ tools and was picked up by several news outlets, some more prominent than others.

What It All Means

This coverage stirred up debate and caused questions about the privacy implications of session replay technology. While we’re happy that the study directed no criticism at Mouseflow, we’d like to address some of the concerns anyway:

We understand why being recorded might be worrying at first, but it’s important to know that we enforce contractual and technical measures to ensure that no personal data ends up in our hands. For us, session replay is a tool that can show you anonymized users’ interactions on your website. This is, of course, a great help in improving and optimizing a website.

But, the tool is not intended to be a way to spy on individual users – or to save their personal data in any way. To put it simply: we don’t want to record personal data or have it touch our servers. We don’t use it and, quite frankly, our clients don’t need it. That’s why we explicitly prohibit our clients from recording personal data in our Terms of Use and require clients to take measures to prevent it from being tracked. We also highly recommend our clients to be transparent in their use of our service: telling users when and why they’re being recorded can help avoid these concerns in the first place.

On our side, we put in a great deal of effort to minimize any personal data that is accidentally recorded and to line up with local privacy regulations. As an example, we block all German websites from recording keystrokes, as it goes against the German privacy laws (BDSG). We also ensure that we never record sensitive information like passwords, credit card numbers, and the like – for any users. We even go as far as blocking all form fields which have more than 3 digits in them. Does this exclude too much data? Maybe, but we’d rather err on the side of caution than do too little.

Our efforts have been intensified recently due to the upcoming privacy legislation in Europe. The “General Data Privacy Regulation”, also known as GDPR, introduces a lot of changes to how personal data is handled. We already covered GDPR in a few blog posts, and will continue to keep you updated on our efforts on our GDPR and Security pages.

To sum up: session replay and privacy aren’t polar opposites – in fact, when done right, the two can co-exist peacefully.

Let us know your thoughts and contact us at if you have any questions.